[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1124366: marked as done (trixie-pu: package imagemagick/8:7.1.1.43+dfsg1-1+deb13u4)

Your message dated Sat, 10 Jan 2026 11:52:34 +0000
with message-id <E1veXWE-00000004Reu-1k9g@coccia.debian.org>
and subject line Released with 13.3
has caused the Debian Bug report #1124366,
regarding trixie-pu: package imagemagick/8:7.1.1.43+dfsg1-1+deb13u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1124366: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124366
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: imagemagick@packages.debian.org
X-Debbugs-Cc: security@debian.org
Control: affects -1 + src:imagemagick
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
CVE-2025-62594
CVE-2025-65955
CVE-2025-66628
CVE-2025-68618
CVE-2025-68950
CVE-2025-69204

[ Impact ]
low

[ Tests ]
debci, internal testsuite, debusine

[ Risks ]
low

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]


[ Other info ]
CVE-2025-62594
CVE-2025-65955
CVE-2025-66628
CVE-2025-68618
CVE-2025-68950
CVE-2025-69204

diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog
--- imagemagick-7.1.1.43+dfsg1/debian/changelog	2025-10-19 10:37:32.000000000 +0200
+++ imagemagick-7.1.1.43+dfsg1/debian/changelog	2025-12-29 00:33:04.000000000 +0100
@@ -1,3 +1,41 @@
+imagemagick (8:7.1.1.43+dfsg1-1+deb13u4) trixie; urgency=high
+
+  * Fix CVE-2025-62594 (Closes: #1119296)
+    Imagemagick is vulnerable to denial-of-service due to unsigned integer
+    underflow and division-by-zero in the CLAHEImage function. When tile
+    width or height is zero, unsigned underflow occurs in pointer
+    arithmetic, leading to out-of-bounds memory access, and
+    division-by-zero causes immediate crashes.
+  * Fix CVE-2025-65955 (Closes: #1122827)
+    There is a vulnerability in ImageMagick’s Magick++ layer that
+    manifests when Options::fontFamily is invoked with an empty
+    string. Clearing a font family calls RelinquishMagickMemory on
+    _drawInfo->font, freeing the font string but leaving _drawInfo->font
+    pointing to freed memory while _drawInfo->family is set to that
+    (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font
+    re-frees or dereferences dangling memory. DestroyDrawInfo and other
+    setters (Options::font, Image::font) assume _drawInfo->font remains
+    valid, so destruction or subsequent updates trigger crashes or heap
+    corruption.
+  * Fix CVE-2025-66628 (Closes: #1122584)
+    The TIM (PSX TIM) image parser contains a critical integer overflow
+    vulnerability in its ReadTIMImage function (coders/tim.c). The code
+    reads width and height (16-bit values) from the file header and
+    calculates image_size = 2 * width * height without checking for
+    overflow. On 32-bit systems (or where size_t is 32-bit), this
+    calculation can overflow if width and height are large (e.g., 65535),
+    wrapping around to a small value.
+  * Fix CVE-2025-68618:
+    Magick's failure to limit the depth of SVG file reads caused
+    a DoS attack.
+  * Do not allow vid for vector graphics
+  * Fix CVE-2025-68950:
+    Magick's failure to limit MVG mutual references forming a loop
+  * Fix CVE-2025-69204:
+    Converting a malicious MVG file to SVG caused an integer overflow.
+
+ -- Bastien Roucariès <rouca@debian.org>  Mon, 29 Dec 2025 00:33:04 +0100
+
 imagemagick (8:7.1.1.43+dfsg1-1+deb13u3) trixie; urgency=high
 
   * Fix CVE-2025-62171 (Closes: #1118340)
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-62594.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-62594.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-62594.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-62594.patch	2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,363 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 18 Oct 2025 10:54:39 -0400
+Subject: CVE-2025-62594
+
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wpp4-vqfq-v4hp
+origin: https://github.com/ImageMagick/ImageMagick/commit/7b47fe369eda90483402fcd3d78fa4167d3bb129
+
+[backport]
+In order to ease backport minimise difference of image-private.h and add compat wrapper
+
+(cherry picked from commit 7b47fe369eda90483402fcd3d78fa4167d3bb129)
+---
+ MagickCore/composite.c     |   3 +-
+ MagickCore/enhance.c       |  48 +++++++++--------
+ MagickCore/image-private.h | 131 ++++++++++++++++++++++++++++++++++++---------
+ 3 files changed, 134 insertions(+), 48 deletions(-)
+
+diff --git a/MagickCore/composite.c b/MagickCore/composite.c
+index a5dfedc..2244cd1 100644
+--- a/MagickCore/composite.c
++++ b/MagickCore/composite.c
+@@ -999,7 +999,8 @@ static MagickBooleanType CompositeOverImage(Image *image,
+           }
+         pixels=p;
+         if (x_offset < 0)
+-          p-=(ptrdiff_t)CastDoubleToLong((double) x_offset*GetPixelChannels(source_image));
++          p-=(ptrdiff_t) CastDoubleToSsizeT((double) x_offset*
++            GetPixelChannels(source_image));
+       }
+     q=GetCacheViewAuthenticPixels(image_view,0,y,image->columns,1,exception);
+     if (q == (Quantum *) NULL)
+diff --git a/MagickCore/enhance.c b/MagickCore/enhance.c
+index ee9d304..ee39476 100644
+--- a/MagickCore/enhance.c
++++ b/MagickCore/enhance.c
+@@ -69,6 +69,7 @@
+ #include "MagickCore/option.h"
+ #include "MagickCore/pixel.h"
+ #include "MagickCore/pixel-accessor.h"
++#include "MagickCore/pixel-private.h"
+ #include "MagickCore/property.h"
+ #include "MagickCore/quantum.h"
+ #include "MagickCore/quantum-private.h"
+@@ -318,11 +319,8 @@ static void ClipCLAHEHistogram(const double clip_limit,const size_t number_bins,
+     return;
+   cumulative_excess=0;
+   for (i=0; i < (ssize_t) number_bins; i++)
+-  {
+-    excess=(ssize_t) histogram[i]-(ssize_t) clip_limit;
+-    if (excess > 0)
+-      cumulative_excess+=excess;
+-  }
++    if (histogram[i] > clip_limit)
++      cumulative_excess+=(ssize_t) (histogram[i]-clip_limit);
+   /*
+     Clip histogram and redistribute excess pixels across all bins.
+   */
+@@ -481,9 +479,6 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+   MemoryInfo
+     *tile_cache;
+ 
+-  unsigned short
+-    *p;
+-
+   size_t
+     limit,
+     *tiles;
+@@ -492,15 +487,16 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+     y;
+ 
+   unsigned short
+-    *lut;
++    *lut,
++    *p;
+ 
+   /*
+     Contrast limited adapted histogram equalization.
+   */
+   if (clip_limit == 1.0)
+     return(MagickTrue);
+-  tile_cache=AcquireVirtualMemory((size_t) clahe_info->x*number_bins,
+-    (size_t) clahe_info->y*sizeof(*tiles));
++  tile_cache=AcquireVirtualMemory((size_t) clahe_info->x*number_bins,(size_t)
++    clahe_info->y*sizeof(*tiles));
+   if (tile_cache == (MemoryInfo *) NULL)
+     return(MagickFalse);
+   lut=(unsigned short *) AcquireQuantumMemory(NumberCLAHEGrays,sizeof(*lut));
+@@ -510,7 +506,8 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+       return(MagickFalse);
+     }
+   tiles=(size_t *) GetVirtualMemoryBlob(tile_cache);
+-  limit=(size_t) (clip_limit*(tile_info->width*tile_info->height)/number_bins);
++  limit=(size_t) (clip_limit*((double) tile_info->width*tile_info->height)/
++    number_bins);
+   if (limit < 1UL)
+     limit=1UL;
+   /*
+@@ -535,7 +532,7 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+         tile_info->height,histogram);
+       p+=(ptrdiff_t) tile_info->width;
+     }
+-    p+=(ptrdiff_t) clahe_info->width*(tile_info->height-1);
++    p+=CastDoubleToPtrdiffT((double) clahe_info->width*(tile_info->height-1));
+   }
+   /*
+     Interpolate greylevel mappings to get CLAHE image.
+@@ -576,6 +573,12 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+         }
+     for (x=0; x <= (ssize_t) clahe_info->x; x++)
+     {
++      double
++        Q11,
++        Q12,
++        Q21,
++        Q22;
++
+       tile.width=tile_info->width;
+       tile.x=x-1;
+       offset.x=tile.x+1;
+@@ -598,15 +601,16 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+             tile.x=clahe_info->x-1;
+             offset.x=tile.x;
+           }
+-      InterpolateCLAHE(clahe_info,
+-        tiles+((ssize_t) number_bins*(tile.y*clahe_info->x+tile.x)),   /* Q12 */
+-        tiles+((ssize_t) number_bins*(tile.y*clahe_info->x+offset.x)), /* Q22 */
+-        tiles+((ssize_t) number_bins*(offset.y*clahe_info->x+tile.x)), /* Q11 */
+-        tiles+((ssize_t) number_bins*(offset.y*clahe_info->x+offset.x)), /* Q21 */
+-        &tile,lut,p);
++      Q12=(double) number_bins*(tile.y*clahe_info->x+tile.x);
++      Q22=(double) number_bins*(tile.y*clahe_info->x+offset.x);
++      Q11=(double) number_bins*(offset.y*clahe_info->x+tile.x);
++      Q21=(double) number_bins*(offset.y*clahe_info->x+offset.x);
++      InterpolateCLAHE(clahe_info,tiles+CastDoubleToPtrdiffT(Q12),
++        tiles+CastDoubleToPtrdiffT(Q22),tiles+CastDoubleToPtrdiffT(Q11),
++        tiles+CastDoubleToPtrdiffT(Q21),&tile,lut,p);
+       p+=(ptrdiff_t) tile.width;
+     }
+-    p+=(ptrdiff_t) clahe_info->width*(tile.height-1);
++    p+=CastDoubleToPtrdiffT((double) clahe_info->width*(tile.height-1));
+   }
+   lut=(unsigned short *) RelinquishMagickMemory(lut);
+   tile_cache=RelinquishVirtualMemory(tile_cache);
+@@ -659,10 +663,10 @@ MagickExport MagickBooleanType CLAHEImage(Image *image,const size_t width,
+     (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);
+   range_info.min=0;
+   range_info.max=NumberCLAHEGrays-1;
+-  tile_info.width=width;
++  tile_info.width=MagickMax(width,2);
+   if (tile_info.width == 0)
+     tile_info.width=image->columns >> 3;
+-  tile_info.height=height;
++  tile_info.height=MagickMax(height,2);
+   if (tile_info.height == 0)
+     tile_info.height=image->rows >> 3;
+   tile_info.x=0;
+diff --git a/MagickCore/image-private.h b/MagickCore/image-private.h
+index a7cd99c..f33e1aa 100644
+--- a/MagickCore/image-private.h
++++ b/MagickCore/image-private.h
+@@ -46,13 +46,17 @@ extern "C" {
+ #define MagickPHI    1.61803398874989484820458683436563811772030917980576
+ #define MagickPI2    1.57079632679489661923132169163975144209858469968755
+ #define MagickPI     3.1415926535897932384626433832795028841971693993751058209749445923078164062
++#define MAGICK_PTRDIFF_MAX  (PTRDIFF_MAX)
++#define MAGICK_PTRDIFF_MIN  (-PTRDIFF_MAX-1)
+ #define MagickSQ1_2  0.70710678118654752440084436210484903928483593768847
+ #define MagickSQ2    1.41421356237309504880168872420969807856967187537695
+ #define MagickSQ2PI  2.50662827463100024161235523934010416269302368164062
+ #define MAGICK_SIZE_MAX  (SIZE_MAX)
+ #define MAGICK_SSIZE_MAX  (SSIZE_MAX)
+ #define MAGICK_SSIZE_MIN  (-SSIZE_MAX-1)
++#define MAGICK_UINT_MAX  (UINT_MAX)
+ #define MAGICK_ULONG_MAX  (ULONG_MAX)
++#define MAGICK_USHORT_MAX  (USHRT_MAX)
+ #define MatteColor  "#bdbdbd"  /* gray */
+ #define MatteColorRGBA  ScaleShortToQuantum(0xbdbd),\
+   ScaleShortToQuantum(0xbdbd),ScaleShortToQuantum(0xbdbd),OpaqueAlpha
+@@ -65,7 +69,7 @@ extern "C" {
+ #define UndefinedCompressionQuality  0UL
+ #define UndefinedTicksPerSecond  100L
+ 
+-static inline ssize_t CastDoubleToLong(const double x)
++static inline ptrdiff_t CastDoubleToPtrdiffT(const double x)
+ {
+   double
+     value;
+@@ -75,48 +79,70 @@ static inline ssize_t CastDoubleToLong(const double x)
+       errno=ERANGE;
+       return(0);
+     }
+-  if (x < 0.0)
++  value=(x < 0.0) ? ceil(x) : floor(x);
++  if (value < ((double) MAGICK_PTRDIFF_MIN))
+     {
+-      value=ceil(x);
+-      if (value < ((double) MAGICK_SSIZE_MIN))
+-        {
+-          errno=ERANGE;
+-          return((ssize_t) MAGICK_SSIZE_MIN);
+-        }
++      errno=ERANGE;
++      return(MAGICK_PTRDIFF_MIN);
+     }
+-  else
++  if (value > ((double) MAGICK_PTRDIFF_MAX))
+     {
+-      value=floor(x);
+-      if (value > ((double) MAGICK_SSIZE_MAX))
+-        {
+-          errno=ERANGE;
+-          return((ssize_t) MAGICK_SSIZE_MAX);
+-        }
++      errno=ERANGE;
++      return(MAGICK_PTRDIFF_MAX);
+     }
+-  return((ssize_t) value);
++  return((ptrdiff_t) value);
+ }
+ 
+ static inline QuantumAny CastDoubleToQuantumAny(const double x)
+ {
++  double
++    value;
++
+   if (IsNaN(x) != 0)
+     {
+       errno=ERANGE;
+       return(0);
+     }
+-  if (x > ((double) ((QuantumAny) ~0)))
++  value=(x < 0.0) ? ceil(x) : floor(x);
++  if (value < 0.0)
++    {
++      errno=ERANGE;
++      return(0);
++    }
++  if (value > ((double) ((QuantumAny) ~0)))
+     {
+       errno=ERANGE;
+       return((QuantumAny) ~0);
+     }
+-  if (x < 0.0)
++  return((QuantumAny) value);
++}
++
++static inline size_t CastDoubleToSizeT(const double x)
++{
++  double
++    value;
++
++  if (IsNaN(x) != 0)
+     {
+       errno=ERANGE;
+-      return((QuantumAny) 0);
++      return(0);
+     }
+-  return((QuantumAny) (x+0.5));
++  value=(x < 0.0) ? ceil(x) : floor(x);
++  if (value < 0.0)
++    {
++      errno=ERANGE;
++      return(0);
++    }
++  if (value > ((double) MAGICK_SIZE_MAX))
++    {
++      errno=ERANGE;
++      return(MAGICK_SIZE_MAX);
++    }
++  return((size_t) value);
+ }
+ 
+-static inline size_t CastDoubleToUnsigned(const double x)
++
++static inline ssize_t CastDoubleToSsizeT(const double x)
+ {
+   double
+     value;
+@@ -126,18 +152,65 @@ static inline size_t CastDoubleToUnsigned(const double x)
+       errno=ERANGE;
+       return(0);
+     }
+-  value=floor(x);
+-  if (value >= ((double) MAGICK_SIZE_MAX))
++  value=(x < 0.0) ? ceil(x) : floor(x);
++  if (value < ((double) MAGICK_SSIZE_MIN))
++    {
++      errno=ERANGE;
++      return(MAGICK_SSIZE_MIN);
++    }
++  if (value > ((double) MAGICK_SSIZE_MAX))
++    {
++      errno=ERANGE;
++      return(MAGICK_SSIZE_MAX);
++    }
++  return((ssize_t) value);
++}
++
++static inline unsigned int CastDoubleToUInt(const double x)
++{
++  double
++    value;
++  if (IsNaN(x) != 0)
++    {
++      errno=ERANGE;
++      return(0);
++    }
++  value=(x < 0.0) ? ceil(x) : floor(x);
++  if (value < 0.0)
+     {
+       errno=ERANGE;
+-      return((size_t) MAGICK_SIZE_MAX);
++      return((QuantumAny) 0);
+     }
++  if (value > ((double) MAGICK_UINT_MAX))
++    {
++      errno=ERANGE;
++      return(MAGICK_UINT_MAX);
++    }
++  return((unsigned int) value);
++}
++
++static inline unsigned short CastDoubleToUShort(const double x)
++{
++  double
++    value;
++
++  if (IsNaN(x) != 0)
++    {
++      errno=ERANGE;
++      return(0);
++    }
++  value=(x < 0.0) ? ceil(x) : floor(x);
+   if (value < 0.0)
+     {
+       errno=ERANGE;
+       return(0);
+     }
+-  return((size_t) value);
++  if (value > ((double) MAGICK_USHORT_MAX))
++    {
++      errno=ERANGE;
++      return(MAGICK_USHORT_MAX);
++    }
++  return((unsigned short) value);
+ }
+ 
+ static inline double DegreesToRadians(const double degrees)
+@@ -189,6 +262,14 @@ static inline unsigned int ScaleColor8to6(const unsigned char color)
+   return((unsigned int) (((color) & ~0x03) >> 2));
+ }
+ 
++/* compat inline wrapper for backport ease */
++static inline ssize_t CastDoubleToLong(const double x) {
++  return CastDoubleToSsizeT(x);
++}
++
++static inline size_t CastDoubleToUnsigned(const double x) {
++  return CastDoubleToSizeT(x);
++}
+ #if defined(__cplusplus) || defined(c_plusplus)
+ }
+ #endif
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-65955.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-65955.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-65955.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-65955.patch	2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,23 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sun, 23 Nov 2025 09:17:29 +0100
+Subject: Correct incorrect free (GHSA-q3hc-j9x5-mp9m)
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/6f81eb15f822ad86e8255be75efad6f9762c32f8
+bug-debian: https://bugs.debian.org/1122827
+---
+ Magick++/lib/Options.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Magick++/lib/Options.cpp b/Magick++/lib/Options.cpp
+index 9a2c3fb..2212c9e 100644
+--- a/Magick++/lib/Options.cpp
++++ b/Magick++/lib/Options.cpp
+@@ -310,7 +310,7 @@ void Magick::Options::fontFamily(const std::string &family_)
+ {
+   if (family_.length() == 0)
+     {
+-      _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font);
++      _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->family);
+       DestroyString(RemoveImageOption(imageInfo(),"family"));
+     }
+   else
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-66628.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-66628.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-66628.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-66628.patch	2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,25 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Tue, 2 Dec 2025 22:49:12 +0100
+Subject: Added extra check to avoid an overflow on 32-bit machines
+ (GHSA-6hjr-v6g4-3fm8)
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/bdae0681ad1e572defe62df85834218f01e6d670
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122584
+---
+ coders/tim.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/coders/tim.c b/coders/tim.c
+index 4c094ac..fcfd926 100644
+--- a/coders/tim.c
++++ b/coders/tim.c
+@@ -231,7 +231,8 @@ static Image *ReadTIMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+     (void) ReadBlobLSBShort(image);
+     width=ReadBlobLSBShort(image);
+     height=ReadBlobLSBShort(image);
+-    image_size=2*width*height;
++    if (HeapOverflowSanityCheckGetSize(2*width,height,&image_size) != MagickFalse)
++      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+     if (image_size > GetBlobSize(image))
+       ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+     bytes_per_line=width*2;
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68618.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68618.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68618.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68618.patch	2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,106 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 21 Dec 2025 12:43:08 -0500
+Subject: CVE-2025-68618
+
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p27m-hp98-6637
+origin: https://github.com/ImageMagick/ImageMagick/commit/6f431d445f3ddd609c004a1dde617b0a73e60beb
+---
+ coders/msl.c | 24 ++++++++++++++++--------
+ coders/svg.c |  8 +++++++-
+ 2 files changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/coders/msl.c b/coders/msl.c
+index dc7a8bf..80468b1 100644
+--- a/coders/msl.c
++++ b/coders/msl.c
+@@ -120,6 +120,7 @@ typedef struct _MSLInfo
+     *exception;
+ 
+   ssize_t
++    depth,
+     n,
+     number_groups;
+ 
+@@ -328,6 +329,10 @@ static void MSLStartElement(void *context,const xmlChar *tag,
+   RectangleInfo
+     geometry;
+ 
++  size_t
++    height,
++    width;
++
+   ssize_t
+     i,
+     j,
+@@ -336,11 +341,6 @@ static void MSLStartElement(void *context,const xmlChar *tag,
+     x,
+     y;
+ 
+-
+-  size_t
+-    height,
+-    width;
+-
+   xmlParserCtxtPtr
+     parser;
+ 
+@@ -352,6 +352,13 @@ static void MSLStartElement(void *context,const xmlChar *tag,
+   exception=AcquireExceptionInfo();
+   parser=(xmlParserCtxtPtr) context;
+   msl_info=(MSLInfo *) parser->_private;
++  if (msl_info->depth++ >= MagickMaxRecursionDepth)
++    {        
++      (void) ThrowMagickException(msl_info->exception,GetMagickModule(),
++        DrawError,"VectorGraphicsNestedTooDeeply","`%s'",tag);
++      xmlStopParser((xmlParserCtxtPtr) context);
++      return;
++    }
+   n=msl_info->n;
+   keyword=(const char *) NULL;
+   value=(char *) NULL;
+@@ -7057,15 +7064,15 @@ static void MSLStartElement(void *context,const xmlChar *tag,
+ 
+ static void MSLEndElement(void *context,const xmlChar *tag)
+ {
+-  ssize_t
+-    n;
+-
+   MSLInfo
+     *msl_info;
+ 
+   xmlParserCtxtPtr
+     parser;
+ 
++  ssize_t
++    n;
++
+   /*
+     Called when the end of an element has been detected.
+   */
+@@ -7158,6 +7165,7 @@ static void MSLEndElement(void *context,const xmlChar *tag)
+   }
+   if (msl_info->content != (char *) NULL)
+     msl_info->content=DestroyString(msl_info->content);
++  msl_info->depth--;
+ }
+ 
+ static void MSLCharacters(void *context,const xmlChar *c,int length)
+diff --git a/coders/svg.c b/coders/svg.c
+index b1ac078..6a06974 100644
+--- a/coders/svg.c
++++ b/coders/svg.c
+@@ -1249,7 +1249,13 @@ static void SVGStartElement(void *context,const xmlChar *name,
+     name);
+   parser=(xmlParserCtxtPtr) context;
+   svg_info=(SVGInfo *) parser->_private;
+-  svg_info->n++;
++  if (svg_info->n++ > MagickMaxRecursionDepth)
++    {
++      (void) ThrowMagickException(svg_info->exception,GetMagickModule(),
++        DrawError,"VectorGraphicsNestedTooDeeply","`%s'",name);
++      xmlStopParser((xmlParserCtxtPtr) context);
++      return;
++    }
+   svg_info->scale=(double *) ResizeQuantumMemory(svg_info->scale,(size_t)
+     svg_info->n+1,sizeof(*svg_info->scale));
+   if (svg_info->scale == (double *) NULL)
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950.patch	2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,23 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 26 Dec 2025 11:22:12 -0500
+Subject: CVE-2025-68950
+
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7rvh-xqp3-pr8j
+origin: https://github.com/ImageMagick/ImageMagick/commit/204718c2211903949dcfc0df8e65ed066b008dec
+(cherry picked from commit 204718c2211903949dcfc0df8e65ed066b008dec)
+---
+ MagickCore/draw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/MagickCore/draw.c b/MagickCore/draw.c
+index 6f1770f..5f0ff88 100644
+--- a/MagickCore/draw.c
++++ b/MagickCore/draw.c
+@@ -5688,6 +5688,7 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+               if ((LocaleCompare(clone_info->magick,"ftp") != 0) &&
+                   (LocaleCompare(clone_info->magick,"http") != 0) &&
+                   (LocaleCompare(clone_info->magick,"https") != 0) &&
++                  (LocaleCompare(clone_info->magick,"mvg") != 0) &&
+                   (LocaleCompare(clone_info->magick,"vid") != 0))
+                 composite_images=ReadImage(clone_info,exception);
+               else
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950_pre1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950_pre1.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950_pre1.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950_pre1.patch	2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,27 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 9 Feb 2025 10:30:42 -0500
+Subject: vid: format not supported in vector graphics
+
+[backport]
+- strictly not needed but a good idea to remove unsupported vector graphics format
+- hardening from a security point of view
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/678372c9b4c6bad5bbcf998d5eca506103f587eb
+---
+ MagickCore/draw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/MagickCore/draw.c b/MagickCore/draw.c
+index 6657675..6f1770f 100644
+--- a/MagickCore/draw.c
++++ b/MagickCore/draw.c
+@@ -5687,7 +5687,8 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+             else
+               if ((LocaleCompare(clone_info->magick,"ftp") != 0) &&
+                   (LocaleCompare(clone_info->magick,"http") != 0) &&
+-                  (LocaleCompare(clone_info->magick,"https") != 0))
++                  (LocaleCompare(clone_info->magick,"https") != 0) &&
++                  (LocaleCompare(clone_info->magick,"vid") != 0))
+                 composite_images=ReadImage(clone_info,exception);
+               else
+                 (void) ThrowMagickException(exception,GetMagickModule(),
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-69204.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-69204.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-69204.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-69204.patch	2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,69 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 27 Dec 2025 14:37:23 -0500
+Subject: CVE-2025-69204
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/2c08c2311693759153c9aa99a6b2dcb5f985681e
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hrh7-j8q2-4qcw
+(cherry picked from commit 2c08c2311693759153c9aa99a6b2dcb5f985681e)
+---
+ coders/svg.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/coders/svg.c b/coders/svg.c
+index 6a06974..09705fc 100644
+--- a/coders/svg.c
++++ b/coders/svg.c
+@@ -1249,13 +1249,14 @@ static void SVGStartElement(void *context,const xmlChar *name,
+     name);
+   parser=(xmlParserCtxtPtr) context;
+   svg_info=(SVGInfo *) parser->_private;
+-  if (svg_info->n++ > MagickMaxRecursionDepth)
++  if (svg_info->n >= MagickMaxRecursionDepth)
+     {
+       (void) ThrowMagickException(svg_info->exception,GetMagickModule(),
+         DrawError,"VectorGraphicsNestedTooDeeply","`%s'",name);
+       xmlStopParser((xmlParserCtxtPtr) context);
+       return;
+     }
++  svg_info->n++;
+   svg_info->scale=(double *) ResizeQuantumMemory(svg_info->scale,(size_t)
+     svg_info->n+1,sizeof(*svg_info->scale));
+   if (svg_info->scale == (double *) NULL)
+@@ -4721,17 +4722,33 @@ static MagickBooleanType WriteSVGImage(const ImageInfo *image_info,Image *image,
+       }
+       case PathPrimitive:
+       {
+-        int
+-          number_attributes;
++        size_t
++          number_attributes,
++          quantum;
+ 
+         (void) GetNextToken(q,&q,extent,token);
+         number_attributes=1;
+         for (p=token; *p != '\0'; p++)
+           if (isalpha((int) ((unsigned char) *p)) != 0)
+             number_attributes++;
+-        if (i > ((ssize_t) number_points-6*BezierQuantum*number_attributes-1))
++        if ((6*BezierQuantum) >= (MAGICK_SSIZE_MAX/number_attributes))
+           {
+-            number_points+=(size_t) (6*BezierQuantum*number_attributes);
++            (void) ThrowMagickException(exception,GetMagickModule(),
++              ResourceLimitError,"MemoryAllocationFailed","`%s'",
++              image->filename);
++            break;
++          }
++        quantum=(size_t) 6*BezierQuantum*number_attributes;
++        if (number_points >= (MAGICK_SSIZE_MAX-quantum))
++          {
++            (void) ThrowMagickException(exception,GetMagickModule(),
++              ResourceLimitError,"MemoryAllocationFailed","`%s'",
++              image->filename);
++            break;
++          }
++        if (i > (ssize_t) (number_points-quantum-1))
++          {
++            number_points+=(size_t) quantum;
+             primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(primitive_info,
+               number_points,sizeof(*primitive_info));
+             if (primitive_info == (PrimitiveInfo *) NULL)
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/series imagemagick-7.1.1.43+dfsg1/debian/patches/series
--- imagemagick-7.1.1.43+dfsg1/debian/patches/series	2025-10-19 10:37:32.000000000 +0200
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/series	2025-12-29 00:33:04.000000000 +0100
@@ -53,3 +53,10 @@
 CVE-2025-57803.patch
 CVE-2025-57807.patch
 CVE-2025-62171.patch
+CVE-2025-62594.patch
+CVE-2025-65955.patch
+CVE-2025-66628.patch
+CVE-2025-68618.patch
+CVE-2025-68950_pre1.patch
+CVE-2025-68950.patch
+CVE-2025-69204.patch

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Package: release.debian.org\nVersion: 13.3\n\nThis update has been released as part of Debian 13.3.

--- End Message ---
Reply to: